Notes from 2010-08-26 Pre-workshop discussion for FedSec workshop schedueld for Sep 8-9, 2010 1. Actions from last discussion - (Dave) check with Rebecca on total attendees - (Dave) Check with John Kunze on availability - (Dave) Engage CCIT to capture addtional requirements: https://trac.dataone.org/report/554 - (Mark) Send out invitations with travel logistics - (Matt) Add contact and technology to MN list - (Randy) Check on Ken's availability - Ken will be comming - (Randy & Jim) Preworkshop questionaire - (Bruce) Compile existing requirements documents, e.g. ESDIS - (Dave) Look back through CCIT notes and compile previous discussion items on security (ABQ VDC 2009, May?) - https://repository.dataone.org/documents/Projects/VDC/docs/20090602_04_ABQ_Meeting/20090604MeetingReport.pdf (page 7) - (Mark) Clean up agenda (for invitations) 2. Questionnaire Source available at: Entry at: https://spreadsheets.google.com/ccc?key=0Au-oThVeU4I-dFZYelJNbFNPek5IMWg2SDBIZXZhNmc&hl=en&authkey=CI6p9dcK#gid=0 The link for completing the survey: http://workshops.cilogon.org/d1 - D: data granularity - single blob or mor granular / record level - is data / metadata treated differently (Authz) - data sharing policies - Offline authentication / editing - Who to distribute the list? - MN managers - Large variability in the MN policies and infrastructure/admin support - Many metacat instances, but TEAM is a good example of someone else - ITK app developers / users - data policies in place at various institutions LTER: http://www.lternet.edu/data/netpolicy.html NCEAS: http://www.nceas.ucsb.edu/datapolicy ORNL: (Governed by the NASA EOS data policy) abstracted at http://www.ciesin.columbia.edu/docs/005-089/005-089art8.html and also on page 19 in http://eospso.gsfc.nasa.gov/ftp_docs/data_products_1.pdf and in http://eospso.gsfc.nasa.gov/eos_homepage/for_scientists/data_products/refbook2006.php PISCO: http://piscoweb.org/data/data-sharing-policy TEAM: http://www.teamnetwork.org/en/data/policy - Send out Monday, responses by Thursday 3. Agenda and supporting documentation MN list at: https://repository.dataone.org/documents/Projects/cicore/operations/membernodes.csv (rendered at http://mule1.dataone.org/OperationDocs/membernodes.html) Outcomes: * Overview of existing systems at MNs, CNs, other fedsec projects * (critical) short term technology recommendations, over next year, that we can implement * requirements discussion and vetting to get general consensus * strategy for long-term * Any recommendations for research or work NSF and/or other agencies should fund to address unmet needs. Topics * Problem statement (Dave) * What aspects of security need to be considered? * Include some of the expected outcomes * The security landscape - questionaire response - Randy & Jim - what's going on in the open fedsec world (e.g. google, openid, oauth, pam, ldap, ...) Randy & Jim - Some examples of federated systems, with their pros and cons - Campus level overview (Ken) * Generate a matrix of specific requirements (Dave, Matt) -- Provider nodes -- Consumer applications * Align requirements matrix with technologies * Short list technologies * Outline critical features and prioritize implementation for next couple of years * Discuss phased implementation strategy (provide requirements before meeting for review) Wednesday Morning (task - record requirements, capabilities during the session) - Problem statement (Dave) - DataONE overview - Usecases (general) (Matt) - Security landscape (Randy, Jim) - Federa - Campus level perspective as well (Ken) - Member node perspectives (10 mins each: current authz + authn, desired future) - Metacat (Matt) - Dryad (John Auman) - DAAC (Giri?) - CUAHSI (Jeff) - CDL perspective? (Perhaps John) - UNM library perspective (Dale) - DC (Tim) - EOSDIS Kevin Murphy? - Questionnaire responses (Jim, Randy) Afternoon - (Dave) formalize and prioritize requirements generated before meeting and captured during the morning session. - (Need to document the scenarios, use cases) Much of this might be available in the arch docs - e.g. access data from a web portal vs a desktop tool like R - provders: closed contribution systems vs completely open - perhaps 6 or so generic scenarios - (Randy) Document a set of key capabilities and try and match with technology / systems available - Technology options - need to identify sort / long term aspects of capabilities + technology options Thursday Morning - (Dave, Randy) develop specific recommendations for short and long term implementations -- Identity provision -- Authentication -- Authorization -- Service APIs for above three -- Accounting / logging interaction Afternoon - (Matt) Discuss phased implementation strategy - migration of existing systems - what is the path for a MN to adopt the recommended technology? - (Dave) Closeout (formalize documents, assign tasks / actions) / summary 4. Summary of invitations and attendees 5. Other New Actions 2010-08-26 - Questionnaire out (Randy, Jim) - Draft for comment by CCIT tomorrow (2010-08-27) - Send out survey on Monday (2010-08-30) - Responses by Thursady COB (2010-09-02) - Agenda fleshed out (Dave) - Is Kevin Murphy attending? (Mark) - Two projectors + screens (Mark) - Get requirements in document form (Dave) - Capture a few (6 or so) scenarios / high level use cases (Matt) - Compile a list of "security technologies / systems" that may be relevant and characterize major functionality provided (e.g. authentication, authorization, trusted identity transfer, ...) - Clarify expected implementation timeline (Dave) ============================================ Notes From 2010-08-11 The four main topics for this call are listed below along with some bullets (for guidance only) 1. Meeting logistics * Preparations of the facilities - Meeting room - 2 meeting rooms available - Equipment - check with facilities - Communications - Food - Check with Bob S. about local restaurants - Local transportation - block of rooms at Marriot * Travel logistics notification for attendees - need to send invite and logistics info 2. Attendees * Should ideally have representation from operators of repositories targeted for participation in DataONE (Member Nodes) * Also need input from experts in the field to provide guidance for technology and implementation decisions * Sufficient CCIT attendance to ensure technical participation * Randy Butler * Jim Basney * Jon Auman (Ryan Scherle proxy) * John Cobb * Jeff Horsbourgh * Matt Jones * John Kunze * Mark Servilla * Dave Vieglais * Bruce Wilson (cannot attend) or Giri Palanisamy * Ken Klingenstein * NASA EOSDIS Rep (Kevin Murphy)? * Tim DiLauro * Mark Evans * Eve Maler (?) * Tina Heath (ORNL cybersecurity lead, familiar with many FIPS and FISMA issues; pronounced Ti-na (long i) ) * Ed Bishop (ORNL) * David Kennedy (Data Conservancy) * Dale Hendrickson (UNM Libraries) - pre-workshop questionaire Tianmu Zhang (UTK grad student supported on DataONE) can assist with processing the questionaire and collating the results, as well as pre- and post-meeting tasks. Attending the meeting itself is a problem, due to missing classes. But he could use remote participation technology for some parts of the meeting, if useful. Here are the member nodes in consideration: http://dev-testing.dataone.org:8080/hudson/job/DataONE-Operations-Manual/javadoc/membernodes.html 3. Outline of the workshop agenda FedSec Requirements list: https://trac.dataone.org/report/554 Outcomes: * Overview of existing systems at MNs, CNs, other fedsec projects * (critical) short term technology recommendations, over next year, that we can implement * requirements discussion and vetting to get general consensus * strategy for long-term * Any recommendations for research or work NSF and/or other agencies should fund to address unmet needs. Topics * Problem statement (Dave) * What aspects of security need to be considered? * Include some of the expected outcomes * The security landscape - questionaire response - Randy & Jim - what's going on in the open fedsec world (e.g. google, openid, oauth, pam, ldap, ...) Randy & Jim - Some examples of federated systems, with their pros and cons - Campus level overview (Ken) * Generate a matrix of specific requirements (Dave, Matt) -- Provider nodes -- Consumer applications * Align requirements matrix with technologies * Short list technologies * Outline critical features and prioritize implementation for next couple of years * Discuss phased implementation strategy 4. Formalize the working group and outline ongoing activities --- Actions: - (Dave) check with Rebecca on total attendees - (Dave) Check with John Kunze on availability - (Dave) Engage CCIT to capture addtional requirements - (Mark) Send out invitations with travel logistics - (Matt) Add contact and technology to MN list - (Randy) Check on Ken's availability - (Randy & Jim) Preworkshop questionaire - (Bruce) Compile existing requirements documents, e.g. ESDIS - (Dave) Look back through CCIT notes and compile previous discussion items on security (ABQ VDC 2009, May?) - (Mark) Clean up agenda